Description
Establishes System level persistence by registering a WMI Event Consumer that triggers when the startup time exceeds 1387 seconds and then runs a PowerShell cradle.
Overview
This script leverages WMI to subscribe to an event and execute Specter cradle when that event occurs, providing persistence on a system. WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus will result in elevated SYSTEM privileges. There are four different triggers that can be used for persistence:
- OnStartup: Executes between 4 and 5 minutes after system startup.
- OnLogon: Executes on any user logon.
- OnInterval: Executes on an operator specified interval (e.g. every X seconds).
- OnTime: Executes at an operator local time every day.
Arguments
| Parameter | Type | Description |
|---|---|---|
| FilterName | string | The name of the WMI event filter. |
| ConsumerName | string | The name of the WMI event consumer. |
| Trigger | string | The type of event that will run a new PowerShell cradle. |
| InteralPeriod | int | The number of seconds between executions of the PowerShell cradle if using the OnInterval trigger. |
| ExecutionTime | TimeSpan | A specific time to execute the PowerShell cradle if using the OnTime trigger in hh:mm:ss format. |
| Build | string | The Specter build identifier. |
Dependencies
- None
Operating Systems
- Windows
Pre-Requisites
- High Integrity process.
Example Output
{
"Persistence": {
"Id": "babc72a228f94b1fb98d9c232d078e9b",
"Method": "WMI Event Subscription",
"Trigger": "OnInterval",
"Profile": "System",
"Event": "Create",
"Success": true,
"UninstallScript": "try {\r\n\t$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter \"Name = 'SCM Health Check Consumer'\"\r\n\t$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter \"Name = 'SCM Health Check Filter'\"\r\n\t$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query \"REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding\"\r\n\t$TimerIdToRemove = Get-WmiObject -Class __IntervalTimerInstruction -Filter \"TimerId='44631667'\"\r\n\t\r\n\t$FilterConsumerBindingToCleanup | Remove-WmiObject\r\n\t$EventConsumerToCleanup | Remove-WmiObject\r\n\t$EventFilterToCleanup | Remove-WmiObject\r\n\tif($TimerIdToRemove -ne $null) { $TimerIdToRemove | Remove-WmiObject }\r\n\t$success = $true\r\n} catch {\r\n\t$success = $false\r\n\tthrow\r\n}\r\n\t \r\nNew-Object PSObject -Property @{\r\n\tPersistence = New-Object PSObject -Property @{\r\n\t\tId = \"babc72a228f94b1fb98d9c232d078e9b\";\r\n\t\tEvent = \"Delete\";\r\n\t\tSuccess = $success;\r\n\t Method = \"WMI Event Subscription\";\r\n\t Profile = \"System\";\r\n\t Trigger = \"OnInterval\";\r\n\t}\r\n}",
"ConsumerName": "SCM Health Check Consumer",
"FilterName": "SCM Health Check Filter"
}
}